LetsEncrypt SSL failure on GCP - Cannot negotiate ALPN protocol

dejavuguides 2019-03-20 16:35:10 UTC #1

Keywords: WordPress + NGINX + SSL - Google Cloud Platform - Technical issue - Secure Connections (SSL/HTTPS)
bnsupport ID: cd546561-d522-68a6-d649-7a0adf3d5a22
Description:
I looked to follow the guide here. https://docs.bitnami.com/google/how-to/generate-install-lets-encrypt-ssl/

sudo /opt/bitnami/letsencrypt/scripts/generate-certificate.sh -m myemailaddressiaddedhere@email.com -d mydomainherewithoutwww.com

Error message:
Error: Something went wrong when running the following command:

$ "$LEGO_BIN" --path "/opt/bitnami/letsencrypt" --tls --email="${email}" ${domain_args} run

    acme: Error -> One or more domains had a problem:

[dejavuguides.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "a
cme-tls/1" for tls-alpn-01 challenge

I also looked around at other articles for guidance - https://community.bitnami.com/t/letsencrypt-failure-cannot-negotiate-alpn-protocol/63726

bitnami - cd546561-d522-68a6-d649-7a0adf3d5a22

Site cannot be accessed via HTTP or IP. But can be accessed via SSH

jota 2019-03-21 11:20:02 UTC #2

Hi @dejavuguides,

Thank you for using Bitnami. We recorded this video to explain how to generate the SSL certificate in our solutions, can you take a look at it? The first step consist on checking if the domain is properly configured.

Thanks

Wordpress admin does not show thumbnails at all

dejavuguides 2019-03-21 11:54:37 UTC #3

Sure I'll take a look. Thanks for the fast replies, as always!

dejavuguides 2019-03-21 12:34:48 UTC #4

Hi @jota, I just gave this a go per your instructions on the handy Youtube video guide. It looks good, but I still seem to be getting the same error. I can't seem to get past the step after running the simple command.

Do you think it is because I am also running dejavuguides.com on Cloudflare for my www.dejavuguides.com domain? I added in blog.dejavuguides.com in addition to www.dejavuguides.com to see if I received the same error for the output below as well. I know that Cloudflare uses Let's Encrypt for their Universal SSL certificates for all domains.

Unmonitored nginx
/opt/bitnami/nginx/scripts/ctl.sh : Nginx stopped
2019/03/21 12:28:11 [INFO] [blog.dejavuguides.com, www.dejavuguides.com] acme: Obtaining bundled SAN certificate
2019/03/21 12:28:12 [INFO] [blog.dejavuguides.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/L_0gbH2
YPnWKOeytJO4vIBPeriWuNXFTL401T9-eP-M
2019/03/21 12:28:12 [INFO] [www.dejavuguides.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/_Q3tiLH1
YpqC-Vy53xCk5sT91dn9Qg9kvlu12nO7j-0
2019/03/21 12:28:12 [INFO] [blog.dejavuguides.com] acme: use tls-alpn-01 solver
2019/03/21 12:28:12 [INFO] [www.dejavuguides.com] acme: use tls-alpn-01 solver
2019/03/21 12:28:12 [INFO] [blog.dejavuguides.com] acme: Trying to solve TLS-ALPN-01
2019/03/21 12:28:17 [INFO] [blog.dejavuguides.com] The server validated our request
2019/03/21 12:28:17 [INFO] [www.dejavuguides.com] acme: Trying to solve TLS-ALPN-01
2019/03/21 12:28:23 Could not obtain certificates:
acme: Error -> One or more domains had a problem:
[www.dejavuguides.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protoco
l "acme-tls/1" for tls-alpn-01 challenge, url:
Error: Something went wrong when running the following command:
$ "$LEGO_BIN" --path "/opt/bitnami/letsencrypt" --tls --email="${email}" ${domain_args} run

dejavuguides 2019-03-21 12:37:54 UTC #5

I ran this command and also after changing directory to /opt/bitnami/letsencrypt/scripts/ running this command. Same error keeps popping up.

sudo ./generate-certificate.sh -m myemailaddressiaddedhere@email.com -d blog.dejavuguides.com -d www.dejavuguides.com

I have blog.dejavuguides.com grey clouded (not passing through Cloudflare security and performance, only DNS nameserver). www.dejavuguides.com remains on Cloudflare right now, but I plan to move off Cloudflare for that domain once I can get this new instance of Wordpress + GCP to work.

abjimenez 2019-03-22 13:47:56 UTC #6

Hi @dejavuguides,

Your domains www.dejavuguides.com and dejavuguides.com are completely managed by Cloudflare, not just the DNS configuration, Cloudflare is also proxying the web accesses to improve performance.

That means the SSL certificate for those domains should be configured in Cloudflare as Edge certificates, not in the WordPress instance, given that the https connections are stablished between the web browsers (clients) and Cloudflare (server).

If you check the Prerequisites to follow https://docs.bitnami.com/google/how-to/generate-install-lets-encrypt-ssl/, you can see "You have configured the domain name’s DNS record to point to the public IP address of your Bitnami application instance.". For the domains above, that's not happening, the domain names' DNS records point to Cloudfrlare.

On the other hand, you have another domain blog.dejavuguides.com that is configured in Cloudflare but only for DNS, as you call it, "grey clouded". In that scenario, https connections are stablished between web browsers (clients) and the GCP WordPress instance (server).

In that second case, you should be able to follow https://docs.bitnami.com/google/how-to/generate-install-lets-encrypt-ssl/ without any issues but you shouldn't include the domains fully managed by Cloudflare. The command to execute would be something like:

sudo ./generate-certificate.sh -m myemailaddressiaddedhere@email.com -d blog.dejavuguides.com

Let us know if this information helps you to understand the issue.

Best regards,
Andrés Bono.

SSL certificate renewal

Not able to renew the SSL in Bitnami

dejavuguides 2019-03-28 20:47:13 UTC #7

Hi @abjimenez, apologies for the delayed reply, just on the road.

Thank you for looking into this further. That's correct. I'm only looking at the subdomains not passing through Cloudflare actively (and yes, grey cloud is the Cloudflare terminology for it).

I have been running this command:

sudo /opt/bitnami/letsencrypt/scripts/generate-certificate.sh -m myemailaddressiaddedhere@email.com -d blog.dejavuguides.com

2019/03/28 20:44:25 [INFO] [blog.dejavuguides.com] acme: Trying to solve HTTP-01
2019/03/28 20:44:36 accept tcp [::]:80: use of closed network connection
2019/03/28 20:44:36 Could not obtain certificates
acme: Error -> One or more domains had a problem:
[blog.dejavuguides.com] acme: Error 400 - urn:ietf:params:acme:error:connection - Fetching http://blog.dejavuguides.com/.well-known/acme-challenge/saWWCBZ9H6_qXswvQrZOjYpRONi5Ckd12t6-7iivs24: Timeout during connect (likely firewall problem)

Error: Something went wrong when running the following command:

$ "$LEGO_BIN" --path "/opt/bitnami/letsencrypt" --email="${email}" ${domain_args} run

abjimenez 2019-04-02 13:29:42 UTC #8

Hi @dejavuguides,

The command seems to be correct. The error message shows that the machine has the 80 port closed. Can you check it?

Also, please check that your domain name resolution is correctly configured. Is it pointing to the correct IP and machine? You can use this online tool to check DNS resolution: https://www.whatsmydns.net/#A/blog.dejavuguides.com

Best regards,
Andrés Bono.

dejavuguides 2019-04-03 21:54:40 UTC #9

Hi Andres,

Good question. That's the correct IP address for the DNS resolution. I just checked and that is my direct IP address for my GCP Wordpress instance.

If you were doing testing yesterday, blog.dejavuguides.com would have not been working, as I turned off the instance, while waiting for a reply here (to save on running costs). It is live again in case you need to check.

I can confirm that my DNS is CNAME to the GCP Wordpress instance IP address that pops up in this DNS resolution query. https://www.whatsmydns.net/#A/blog.dejavuguides.com.

dejavuguides 2019-04-03 21:58:07 UTC #10

I believe port 80 is open. Based on what I see here. Does that look correct to you too?

https://console.cloud.google.com/networking/firewalls/list

abjimenez 2019-04-08 15:16:43 UTC #11

@dejavuguides, the firewall configuration seems to be correct. Is your domain pointing to that machine?

If all is correct, I don't see why the generate-certificate.sh script is failing with that specific message.

Best regards,
Andrés Bono.

dejavuguides 2019-04-11 11:31:19 UTC #12

Okay good news!

I just tested the same commands again. Making no changes to the GCP configuration and/or Cloudflare.com configurations and it is just working. Thank you very much for your patience and assistance in troubleshooting here! @abjimenez.

I seriously do not know why it was not working earlier.

Here are the details of the command used (per documentation) for anyone reading this in the future.

$ sudo /opt/bitnami/letsencrypt/scripts/generate-certificate.sh -m emailaddress@forcertificate.com -d blog.dejavuguides.com

This tool will now stop the web server and configure the required SSL certificate. It will also start it again once
finished.
It will create a certificate for the domain "blog.dejavuguides.com" under the email "emailaddress@forcertificate.com"
Do you want to continue? [y/n]: y
Please answer yes [y] or no [n]. Do you want to continue? [y/n]: y
Unmonitored nginx
/opt/bitnami/nginx/scripts/ctl.sh : Nginx stopped
2019/04/11 11:25:10 [INFO] [blog.dejavuguides.com] acme: Obtaining bundled SAN certificate
2019/04/11 11:25:10 [INFO] [blog.dejavuguides.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/L_0gbH2
YPnWKOeytJO4vIBPeriWuNXFTL401T9-eP-M
2019/04/11 11:25:10 [INFO] [blog.dejavuguides.com] acme: authorization already valid; skipping challenge
2019/04/11 11:25:10 [INFO] [blog.dejavuguides.com] acme: Validations succeeded; requesting certificates
2019/04/11 11:25:11 [INFO] [blog.dejavuguides.com] Server responded with a certificate.
/opt/bitnami/nginx/scripts/ctl.sh : Nginx started
Monitored nginx
Congratulations, the generation and configuration of your SSL certificate finished properly.
You can now configure a cronjob to renew it every month.
Do you want to proceed? [y/n]: y

Technologies used:
* Bitnami WordPress with NGINX and SSL - https://bitnami.com/stack/wordpress-pro
* Cloudflare Enterprise plan (though Cloudflare Free plan will also be sufficient as I am only using the DNS function for this subdomain here).

Thank you again. We can close this ticket!

dejavuguides 2019-04-11 11:34:59 UTC #13

This is a test using the dejavuguides.com subdomain that I was working on.

I have just checked the frontend via Google Chrome and visited https://blog.dejavuguides.com and we can see the nice SSL certificate there!

Visiting the page blog.dejavuguides.com

Opening the SSL certificate lock to see the certificate on blog.dejavuguides.com

abjimenez 2019-04-12 10:27:57 UTC #14

Great @dejavuguides!!!

Thanks for sharing more details about the commands that you have executed to make it work and the checks that you have done. It will be useful for users that find this thread.

Best regards,
Andrés Bono.

abjimenez 2019-04-12 10:28:12 UTC #15

Bitnami provides free all-in-one installers, virtual machines and cloud images for popular open source applications. Get them now!